Necurs Botnet Distributing Sextortion Email Scams

Two recent sextortion scam campaigns seem to rely on the Necurs botnet infrastructure to distribute the messages, security researchers have discovered.

Sextortion scammers pick their targets from leaked databases with email addresses and cracked passwords. Armed with this information, the scammers pretend to be in possession of videos showing the potential victim watch explicit videos.

In exchange for not sharing the video with people close to the victim, the scammer demands a payment in cryptocurrency.

Blame it on Aaron Smith

Researchers at Cisco Talos investigated two such campaigns - one started on August 30, the other on October 5 - and named them the 'Aaron Smith' sextortion scams after the 'From: header' of the messages.

The number of distinct email addresses was 15,826, each recipient receiving on average a 15 sextortion messages. With one user, however, the scammers made an exception and delivered 354 messages, Schultz details.

The Necurs botnet connection

During their investigation, Talos researchers found that about 1,000 sending IP addresses involved in the Aaron Smith operations were also used in an international sextortion campaign IBM X-Force experts discovered in September and associated with the Necurs botnet.

Talos made the connection with Necurs based on 20 cryptocurrency wallets identified by IBM X-Force.

The financial details

The two Aaron Smith campaigns ran for about 60 days and the operators ask between $1,000 and $7,000 which are not tailored for each victim but randomly generated.

Victims that fell for the scam and paid a total of 23.3653711 bitcoins, the equivalent of $146,380.31. The bitcoins were distributed across 58,611 unique bitcoin wallet addresses, but only 83 of them had active balances.

However, the researchers found that some of the wallets received payments smaller than $1,000. The explanation for this was that some of the bitcoin wallet addresses were used in other spam campaigns.

These details are in contrast with other sextortion campaigns that proved more profitable. For instance, some scammers make at least €40,000 from victims in Europe.

Ionut Ilascu is freelancing as a technology writer with a focus on all things cybersecurity. The topics he writes about include malware, vulnerabilities, exploits and security defenses, as well as research and innovation in information security. His work has been published by Bitdefender, Netgear, The Security Ledger and Softpedia.